Two compromised releases of the widely used JavaScript HTTP client library Axios have set off warnings across the developer community following a supply chain attack on the npm package registry. Cybersecurity firm Socket first reported the incident, identifying axios@1.14.1 and axios@0.30.4 as the affected versions. Both releases were modified before being removed from npm, leaving any systems that installed them potentially exposed.
According to Socket, the tampered releases were altered to include a dependency on plain-crypto-js@4.2.1, a package published shortly before the attack and subsequently identified as malicious. The dependency was configured to execute automatically through a post-install script, meaning attackers could run code on a target system without any additional action from the user. This mechanism allowed the malicious code to activate the moment a developer installed either of the affected Axios versions.
Security company OX Security said the altered code can grant attackers remote access to compromised devices. This access can be used to steal sensitive information including login credentials, API keys, and crypto wallet data. OX Security advised any developer who installed the affected versions to treat their systems as fully compromised and to rotate all credentials, including API keys and session tokens, immediately.
Socket further recommended that developers audit their projects and dependency files for references to the affected Axios versions and the associated plain-crypto-js@4.2.1 package. Any compromised versions should be removed or rolled back without delay. The incident highlights how a single tainted open-source component can propagate risk across the many thousands of applications that depend on it, affecting not only developers but also downstream platforms and end users.
The attack draws comparisons to earlier supply chain breaches in the crypto space. On January 3, onchain investigator ZachXBT reported that hundreds of wallets across Ethereum Virtual Machine-compatible networks had been drained in a broad attack that extracted small amounts from each victim. Cybersecurity researcher Vladimir S. suggested the incident may be connected to a separate breach that occurred in December.
That earlier breach involved Trust Wallet and resulted in approximately $7 million in losses spread across more than 2,500 wallets. Trust Wallet subsequently indicated the compromise may have originated from a supply chain attack targeting npm packages used within its development workflow. The sequence of events underscores how vulnerabilities introduced at the development tooling level can ultimately translate into direct financial losses for end users.
Originally reported by CoinTelegraph.
